Security
Headlines
HeadlinesLatestCVEs

Headline

Supply Chain Risk Mitigation Must Be a Priority in 2025

A balance of rigorous supplier validation, purposeful data exposure, and meticulous preparation is key to managing and mitigating risk.

DARKReading
#vulnerability#git#auth#ssh#zero_day

Rob T. Lee, Chief of Research & Head of Faculty, SANS Institute

December 19, 2024

5 Min Read

Source: Michael Burrell via Alamy Stock Photo

COMMENTARY

Israel’s electronic pager attacks targeting Hezbollah in September highlighted the dangerous ramifications of a weaponized supply chain. The attacks, which leveraged remotely detonated explosives hidden inside pager batteries, injured nearly 3,000 people across Lebanon, as a worst-case reminder of the inherent risk that lies within global supply networks.

The situation wasn’t just another doomsday scenario crafted by financially motivated vendors hoping to sell security products. It was a legitimate, real-world byproduct of our current reality amid the escalating proliferation of adversarial cybercrime. It also underscored the dangers of relying on third-party hardware and software, with roots back to foreign countries of concern — something that happens more often than one might expect. For example, on Sept. 12, a US House Select Committee Investigation revealed that 80% of the ship-to-shore cranes at American ports are manufactured by a single Chinese government-owned company. While the committee did not find evidence that the company used its access maliciously, the vulnerability could have enabled China to manipulate US maritime equipment and technology in the wake of geopolitical conflict.

As nation-state actors explore new avenues for gaining geopolitical advantage, securing supply chains must be a shared priority amongst the cybersecurity community in 2025. Verizon’s “2024 Data Breach Investigations Report” found that the use of zero-day exploits to initiate breaches surged by 180% year-over-year — and among them, 15% involved a third-party supplier. The right vulnerability at the wrong time can put critical infrastructure in the crosshairs of a consequential event.

Implementing impactful supply chain protections is far easier said than accomplished, due to the complexity, scale, and integration of modern supply chain ecosystems. While there isn’t a silver bullet for eradicating threats entirely, prioritizing a targeted focus on effective supply chain risk management principles in 2025 is a critical place to start. It will require an optimal balance of rigorous supplier validation, purposeful data exposure, and meticulous preparation.

Rigorous Supplier Validation: Moving Beyond the Checkboxes

Whether it’s cyber warfare or ransomware, modern supply chain attacks are too sophisticated for organizations to fall short on supplier validation. Now is a vital time to move beyond self-reported security assessments and vendor questionnaires and migrate toward more comprehensive validation processes that prioritize regulatory compliance, response readiness, and secure-by-design.

Ensuring adherence to evolving industry standards must be a foundational driver of any supplier validation strategy. Is your supplier positioned to meet the European Union’s Digital Operational Resilience Act (DORA) and Cyber Resilience Act (CRA) regulations? Are they aligned with the National Security Agency’s CNSA 2.0 timelines to defend against quantum-based attacks? Do their products possess the cryptographic agility to integrate the National Institute of Standards and Technology’s (NIST’s) new Post-Quantum Cryptography (PQC) algorithms by 2025? These examples are all important value drivers to consider when selecting a new partner.

Chief information security officers (CISOs) should still push further by mandating actual evidence of cyber resilience. Conduct annual on-site security audits for suppliers that assess everything from physical security measures and solution stacks to IT workflows and employee training programs. In addition, require your suppliers to provide quarterly penetration testing reports and vulnerability assessments, then thoroughly review the documents and track remediation efforts.

Equally crucial to rigorous validation is gauging a supplier’s incident response readiness via notification procedures, communication protocols, practitioner expertise, and cross-functional collaboration. Any joint cyber-defense strategy should also be underpinned by a shared commitment to secure-by-design principles and robust product security testing protocols that are integrated into supply chain risk assessments. Implemented during the early stages of product development, secure-by-design helps reduce an application’s exploit surface before it is made available for broad use. Product security testing provides a comprehensive understanding of how utilizing a particular product will impact your threat model and risk posture.

Purposeful Data Exposure: Less Is Always More

Less (access) is more when it comes to protecting data in supply chain environments. Organizations should be focused on adopting purposeful approaches to data sharing, carefully considering what information is truly necessary for a third-party partnership to succeed. Limiting the exposure of sensitive information to external suppliers via scaled zero-trust concepts will help reduce your supply chain attack surface exponentially, which in turn simplifies the management of third-party risk.

An important step in this process involves implementing stringent access controls that restrict credentials to only essential data and systems. Data aging and retention policies also play a crucial role here. Automating processes to phase out legacy or unnecessary data helps ensure that even if a breach occurs, the damage is contained and privacy is maintained. Leveraging encryptions aggressively across all data touchpoints accessible to third parties will also add an extra layer of protection for undetected breaches that occur throughout the wider supply chain ecosystem.

Meticulous Preparation: Assumption of Breach Mindset

As supply chain attacks accelerate, organizations must operate under the assumption that a breach isn’t just possible — it’s probable. An “assumption of breach” mindset shift will help drive more meticulous approaches to preparation via comprehensive supply chain incident response and risk mitigation.

Preparation measures should begin with developing and regularly updating agile incident response processes that specifically cater to third-party and supply chain risks. For effectiveness, these processes will need to be well-documented and frequently practiced through realistic simulations and tabletop exercises. Such drills help identify potential gaps in the response strategy and ensure that all team members understand their roles and responsibilities during a crisis.

Maintaining an up-to-date contact list for all key vendors and partners is another crucial component to preparation. In the heat of an incident, knowing exactly who to call at Vendor X, Y, or Z can save precious time and potentially limit the scope of a breach. This list should be regularly audited and updated to account for personnel changes or shifts in vendor relationships.

Organizations should also have a clear understanding of the shutdown and containment procedures for each critical application or system within their supply chain. While it’s impossible to predict every potential scenario, a well-positioned team armed with comprehensive response plans and intimate knowledge of their supply chain environment is far better equipped to combat adversarial threat actors.

About the Author

Chief of Research & Head of Faculty, SANS Institute

Known as the “Godfather of Digital Forensics and Incident Response (DFIR),” Rob T. Lee is one of the most renowned cybersecurity experts and thought leaders working today, with over 20 years of experience in computer forensics, incident response, threat hunting, vulnerability and exploit discovery, and intrusion detection/prevention. Rob has mentored many of the cybersecurity experts working today.

Rob currently serves as chief of research and head of faculty at SANS Institute, the world’s leading cybersecurity and digital forensics training company. He is also regularly hired as a consultant and technical adviser by US Congress, federal agencies, and the US military to investigate and review data security breaches. Within the private sector, Rob helps corporations as a hands-on cybersecurity practitioner to look into security breaches, trade secret thefts, and other cybersecurity issues.

DARKReading: Latest News

US Ban on TP-Link Routers More About Politics Than Exploitation Risk